Evan Norris and Morgan J Cohen, Cravath, Swaine & Moore LLP

This is an extract from the 2021 edition of GIR's The Americas Investigations Review. The whole publication is available here

In summary

This chapter examines the tools US enforcement authorities conducting cross-border investigations have come to rely on to obtain evidence located in foreign countries. The first section reviews the formal and informal legal mechanisms through which US authorities obtain foreign evidence. The second section examines the US–UK bilateral agreement implementing the CLOUD Act. Finally, the third section takes a close look at recent legal challenges to US prosecutors’ ability to use mutual legal assistance treaty requests to toll statutes of limitation that would otherwise have expired prior to indictment.

Discussion points

  • Requirements and issues related to obtaining evidence via mutual legal assistance treaty requests and other mechanisms
  • US–UK bilateral agreement pursuant to the CLOUD Act
  • Recent legal challenges to US prosecutors’ ability to use mutual legal assistance treaty requests to toll statutes of limitation that would otherwise have expired prior to indictment

Referenced in this article

  • Mutual legal assistance treaty requests
  • 28 USC 1781, 28 USC 1782, 18 USC 3512 and 18 USC 3292
  • Multilateral Memorandum of Understanding Concerning Consultation and Cooperation and the Exchange of Information
  • Egmont Group of Financial Intelligence Units
  • CLOUD Act
  • UK–US Agreement on Access to Electronic Data for the Purpose of Countering Serious Crime
  • United States v Bogucki, United States v Basesand United States v Vorley


Over the past several years, cross-border investigations have become a routine part of the enforcement landscape in the United States. At the same time, the ways in which US criminal and regulatory enforcement authorities have collaborated with their foreign counterparts to collect evidence and pursue investigative leads has evolved. That evolution continues today, even as the covid-19 pandemic has disrupted the in-person network building that has fuelled much of that collaboration. Against this backdrop, this chapter examines the tools US enforcement authorities have come to rely on obtain evidence located in foreign countries, focusing on a number of recent, key developments.

The first section reviews the formal and informal legal mechanisms through which the US Department of Justice (DOJ) and other enforcement authorities obtain foreign evidence. The section begins with a discussion of requests made via mutual legal assistance treaty (MLAT) – the primary tool in the foreign evidence collection toolbox – and then briefly describes several alternative mechanisms through which such evidence may be obtained.

The second section focuses on the mechanics of the October 2019 bilateral agreement between the United States and United Kingdom implementing the Clarifying Lawful Overseas Use of Data Act (CLOUD Act), a 2018 law that created a partial alternative to the MLAT process in an effort to streamline the exchange of electronic data between US and foreign enforcement authorities. The US–UK bilateral agreement – the first agreement of its kind – took effect in July 2020.

The third section addresses the ability of US prosecutors to use MLAT requests secretly to obtain approval to suspend the statute of limitations in criminal investigations. The DOJ’s reliance on this practice – permitted by statute and particularly useful for prosecutors in charge of long-running white-collar investigations – has recently come under scrutiny by defence counsel and reviewing courts.

Tools for obtaining foreign evidence

MLAT requests: the primary tool

MLAT requests are the most common method through which US enforcement authorities enlist the cooperation of foreign partners during cross-border investigations. MLATs are bilateral treaties that authorise government attorneys to request and obtain evidence – physical, documentary and testimonial – located abroad. The categories of law enforcement assistance that may be provided are unique to each treaty but typically include the following:

  • obtaining documentary or electronic evidence;
  • serving judicial or other documents;
  • locating or identifying persons or evidence;
  • taking testimony abroad;
  • requesting searches and seizures;
  • identifying and tracing the proceeds of crime; and
  • executing asset freezes and seizures. 

Most MLATs also include a catchall provision that authorises the transfer of any evidence located in the country to which the assistance request is made that is not otherwise prohibited by that country’s law. 

The United States has signed MLATs with over 70 countries, including every member state of the European Union. Each treaty defines the scope of the parties’ mutual assistance obligations and the process through which an assistance request may be submitted. All MLATs are administered by a central authority, with the central authority for the United States being the DOJ’s Office of International Affairs (OIA), which processes all incoming and outgoing MLAT requests.  Although the United States primarily uses MLATs in connection with criminal investigations conducted by the DOJ, they are available for use by certain civil regulators primarily the US Securities and Exchange Commission (SEC) – in certain cases and in certain jurisdictions. 

To submit an outgoing request, a US prosecutor – typically a DOJ trial attorney or an assistant US attorney from one of the US attorney’s offices located in one of the 94 federal judicial districts – sends an MLAT request to OIA for substantive review. Once final, the request is translated and filed directly with the foreign central authority designated by the relevant MLAT. The foreign central authority then reviews the request for compliance with the categories of assistance enumerated in the treaty, and, assuming the request is deemed compliant, executes the request.

Outgoing MLATs are not subject to judicial oversight by US courts, although the receiving government’s execution of the request may be subject to varying degrees of court supervision depending on its domestic law. US prosecutors are also not required by US law to provide either notice to the target of the MLAT or an opportunity for the target to challenge or limit whatever is requested – though, here again, the requested government’s domestic law may require such notice. Accordingly, MLAT requests can be extremely powerful investigative tools for US prosecutors conducting cross-border investigations.  

The DOJ does not routinely disclose either how many MLAT requests are issued and received or, of those, how many are granted. But DOJ has stated recently that:

The number of MLAT requests has increased dramatically in recent years, in light of the massive volume of electronic communications that occur daily over the Internet and the enormous amount of electronic data held by companies throughout the world.  

A few additional observations about the MLAT process that are important for practitioners to understand:

Dual criminality

Unlike most extradition treaties, most mutual legal assistance treaties do not require dual criminality – that is, they typically do not require that the conduct being investigated by the requesting country constitute a crime in the requested country. Some MLATs, however, limit the type of assistance the requested country may provide when the underlying offense would not constitute a crime under the requested country’s law.   Moreover, in countries with domestic laws requiring dual criminality for international treaties, the MLAT will typically include a specifically enumerated list of covered offenses for which mutual assistance may be provided.  


Courts and prosecutors in the United States and abroad, including the former US attorney general,  have criticised the MLAT request process as being too slow for contemporary cross-border criminal investigations.  Indeed, the process can take one or more years before any evidence is obtained.

The delays associated with MLAT requests have prompted attempts at reform. In the past few years, the DOJ has created two new units dedicated to reviewing and executing incoming MLAT requests, including a centralised ‘cyber unit’ that, among other things, processes MLAT requests for electronic evidence.  The latter unit was meant to address the growing backlog in MLAT requests for computer records, which increased by over 1,000 per cent between 2000 and 2017. 

And in 2018, in part to further address these delays, the United States enacted the CLOUD Act in 2018 to modernise and speed up the exchange of electronic evidence in cross-border investigations.

More recently, the covid-19 pandemic has led to additional delays. In June 2020, the DOJ’s former criminal division chief stated that both outgoing and incoming MLAT requests have been more difficult to process during the pandemic, particularly with respect to requests that ‘need to go to third-party providers’. 

Statute of limitations

One potential consequence of the delays encountered when the US authorities seek foreign evidence via MLAT is that the statute of limitations for the offence under investigation may expire before the request is fulfilled. To address this problem, US prosecutors are authorised by 18 United States Code (USC) Section 3292 to file an ex parte application in federal court to toll the statute of limitations during the pendency of an MLAT request. If the court finds by a preponderance of the evidence that ‘it reasonably appears’ that the requested evidence is located in the country identified by the DOJ, it may toll the statute of limitations for up to three years.  The tolling period ends on the date on which the requested government fulfils the request.  As discussed in the last section of this chapter, defendants in a handful of recent cases have raised concerns about whether the DOJ has used such requests improperly.

Other tools for obtaining foreign evidence

Although the MLAT request is the primary mechanism through which US enforcement authorities request evidence located in foreign countries, alternative mechanisms also exist, some of which are the following:

Memoranda of understanding

A memorandum of understanding (MOU) can be either a binding formal treaty or non-binding informal agreement between two or more countries (or countries’ government agencies) regarding a given subject matter. In the United States, both criminal and civil enforcement authorities have executed MOUs with their foreign counterparts that, among other things, authorise the sharing of information and evidence. The DOJ, for example, has agreed to several MOUs with other countries pertaining to narcotics trafficking. On the civil side, the SEC has signed MOUs with over 30 foreign regulators. 

One such MOU, the Multilateral Memorandum of Understanding Concerning Consultation and Cooperation and the Exchange of Information (MMOU) – an MOU created by the International Organization of Securities Commissions (IOSCO) that currently has more than 100 signatories  – has been the SEC’s primary tool for obtaining evidence from foreign securities regulators since it was initially agreed in 2002. Prior to the creation of the MMOU, the SEC relied on bilateral information-sharing MOUs with securities authorities for individual countries. Although many of those agreements remain in effect today and supplement the powers of the MMOU, the creation of the MMOU provided a broader, uniform framework for mutual assistance across jurisdictions.

In 2016, IOSCO established an Enhanced Multilateral Memorandum of Understanding Concerning Consultation and Cooperation and the Exchange of Information (Enhanced MMOU) in an effort to broaden the original agreement and expand its information-sharing mechanisms to enable regulators ‘to respond to the risks and challenges posed by globalisation and advances in technology since 2002’.  The changes in the Enhanced MMOU reflect the increased importance of technology in markets and the need to analyse electronic data in order to investigate potential financial misconduct.

In 2019, the SEC and Swiss Financial Market Supervisory Authority joined the Enhanced MMOU and the Dubai Financial Services Authority joined in 2020. Fourteen IOSCO member agencies representing eight jurisdictions – including the United Kingdom, Canada, Singapore, Korea and Hong Kong – have now signed one of the two Enhanced MMOU appendices. 

Multilateral conventions

Cross-border requests for assistance may also be made pursuant to a number of multilateral conventions. The two conventions that are most commonly relied upon are the UN Convention Against Corruption  (for corruption and related money laundering offences)  and the UN Convention Against Transnational Organised Crime  (for ‘organised crime’ offences and related money laundering offences).  Requests can also be made under other treaties that specifically pertain to drug-related offences,  terrorism-related offences,  offences generally occurring in the Western Hemisphere,  as well as other subject and location-specific issues. 

Letters rogatory

Letters rogatory are formal requests for judicial assistance made by a court in one country to a court in another country. The submission of a letter rogatory is the ‘customary method’ by which US enforcement agencies may obtain documentary evidence or testimony from witnesses located abroad in the absence of an MLAT or MOU.  Letters rogatory are less formal than MLAT requests and may be used by both government and non-government litigants in criminal and civil matters. Pursuant to 28 USC Section 1781, outgoing letters rogatory are made by counsel – including counsel for US enforcement authorities – in US courts and issued by the US State Department to the requested foreign country.  Section 1781, however, also allows the court to bypass the State Department and transmit an outgoing letter rogatory directly to the ‘foreign tribunal, officer or agency’.  Although foreign courts will typically honour requests via letters rogatory, compliance is ultimately left to the discretion of the courts in the requested country and subject to that country’s legal procedures. 

Egmont Group

The Financial Crimes Enforcement Network (FinCEN) – an independent, non-governmental organisation that writes and enforces the rules governing registered brokers and broker-dealer firms in the United States – may share financial intelligence with its foreign counterparts through its membership in an international organisation known as the Egmont Group of Financial Intelligence Units (Egmont Group). The Egmont Group comprises the financial intelligence units (FIUs) of 164 countries and provides a platform for FIUs to exchange information and expertise in order to combat money laundering and terrorist financing. Although strict limits are placed on the use of financial intelligence received through the Egmont Group – among other things, such information may not be introduced as evidence in court – FIUs and other enforcement authorities do use such intelligence to identify additional evidence that can be made public or locate assets for seizure or confiscation. 

Informal exchange

US enforcement authorities also rely on growing networks of foreign contacts to obtain evidence and other relevant information on an informal basis.  Such exchanges of information may occur between individual prosecutors or officials, a practice colloquially referred to as a ‘law enforcement to law enforcement’ or ‘police to police’ exchange. Canadian authorities, for example, have said they use ‘police-to-police cooperation’ in lieu of an MLAT for ‘straightforward’ requests such as ‘ask[ing] [the United States] to do an interview, or vice versa’. 

Direct contact between enforcement authorities in institutional settings can also facilitate the informal exchange of information. According to one senior DOJ prosecutor, meetings between DOJ and foreign prosecutors held by the Organisation for Economic Co-operation and Development (OECD) have had a ‘pivotal impact’ on the DOJ’s interactions with its foreign counterparts. In particular, the meetings reportedly provided an opportunity for attendees to both follow up on the status of existing MLAT requests and obtain information material to anticipated MLAT requests.  In July 2020, the senior deputy chief of the DOJ’s fraud section – the section that, among other things, supervises the enforcement of the FCPA – praised the ‘good relationships’ that had been built during regular meetings between enforcement authorities from countries that are party to the OECD’s Anti-Bribery Convention. 

More broadly, the participation of US enforcement authorities in international conferences – and, post-covid, in webinars and video conferences  – is common.  As these forums for direct interaction between enforcement authorities continue to grow and evolve, practitioners can expect informal information exchanges to continue to be used to facilitate or even supplant the formal cooperation mechanisms discussed above.

The CLOUD Act: a new tool for collecting foreign evidence

CLOUD Act background and requirements

In March 2018, the US Congress passed the CLOUD Act, in part to address delays associated with MLAT requests for electronic information, such as email, texts, social media posts and other forms of electronic communication. According to a 2019 DOJ white paper:

While the MLAT process remains a critical evidence-gathering mechanism, the system has faced significant challenges keeping up with the increasing demands for electronic evidence in criminal investigations worldwide.  

The white paper explains that electronic information stored by communications service providers (CSPs) poses unique challenges to the MLAT process because ‘many CSPs move data among data storage centers in various countries and split up data into different pieces stored in different locations’, practices that make it ‘difficult both for governments and for the CSPs themselves to know where relevant data is located at any point in time for purposes of sending and fulfilling MLAT requests’. 

The CLOUD Act attempted to address these issues through two significant changes to US law.

First, and most well-known, the CLOUD Act authorises US federal and state enforcement authorities to lawfully access data in the possession, custody or control of CSPs subject to US jurisdiction, regardless of where in the world the data is physically stored. This provision resolved an ambiguity in a prior law by clarifying that even if a CSP subject to US jurisdiction stores data outside the United States, it must still produce that data to US enforcement authorities when served with a subpoena or warrant. 

Second, the CLOUD Act created a framework for the negotiation of bilateral treaties that would give certain foreign enforcement authorities – Qualified Foreign Governments (QFGs) – the ability to directly request data stored by US-based CSPs without requiring an MLAT request, and vice versa.

To obtain QFG status, a country must first satisfy a list of criteria to ensure that it has ‘adequate’ laws regarding human rights, civil liberties, cybercrime and government data collection.  Although such laws need not be identical to mirror US legal safeguards, they must, among other things:

  • include numerous provisions protecting privacy and civil liberties;
  • be used only to obtain information relating to the prevention, detection, investigation or prosecution of ‘serious crime’;
  • provide that orders requesting data must:
    • be lawfully obtained under the QFG’s laws;
    • target specific individuals or accounts;
    • be based on articulable and credible facts; and
    • be subject to review by an independent authority, such as a court;
  • prohibit bulk data collection;
  • not target US persons or any persons located in the United States;
  • not be used to infringe upon freedom of speech; and
  • be subject to periodic joint review by the parties to ensure that it is being properly applied. 

If these criteria are satisfied, the country may then enter into a bilateral agreement with the United States, which, in turn, must be certified by the attorney general and secretary of state and sent to Congress for approval or rejection.

Once the United States executes a bilateral CLOUD Act agreement with a QFG, the QFG may serve its domestic legal process directly on a US-based CSP, which, in turn, may voluntarily comply with that process and produce the requested electronic information directly to the QFG, even where such compliance would otherwise violate US law. Importantly, the CLOUD Act does not require US-based CSPs to comply with QFG-issued legal process – it merely permits them to do so without incurring US legal liability. Additionally, a US-based CSP that receives QFG-issued legal process can challenge the validity of that process under the QFG’s law to the extent permitted by that law. Because the CLOUD Act removes US legal prohibitions on disclosing electronic information in response to QFG-issued legal process, a QFG reviewing court would not need to engage in a conflict of laws analysis.

US–UK CLOUD Act Agreement

In October 2019, the first bilateral CLOUD Act agreement was executed between the US and a QFG – the United Kingdom.  The DOJ described the agreement (the Agreement) as the:

world’s first ever CLOUD Act Agreement that will allow American and British law enforcement agencies, with appropriate authorization, to demand electronic data regarding serious crime, including terrorism, child sexual abuse, and cybercrime, directly from tech companies based in the other country, without legal barriers. 

The DOJ further stated that ‘the current legal assistance process can take up to two years, but the Agreement will reduce this time period considerably, while protecting privacy and enhancing civil liberties’. 

Importantly, though the CLOUD Act itself does not define ‘serious crime’, the definition in the Agreement makes clear that it extends not just to the types of crimes highlighted by the DOJ in its public statements but to all crimes punishable by more than three years in prison – a category that includes virtually all federal felonies. 

The Agreement includes a number of additional, significant provisions:

Certification by designated authority  

The Agreement specifies that cross-border orders must be reviewed and certified as lawful by the issuing party’s designated authority. For the United States, this is a governmental entity designated by the attorney general. For the United Kingdom, the designation must be done by the Secretary of State for the Home Department. The certification must be in writing, based on a finding that the order complies with all of the requirements of the agreement and any other applicable law.

Opportunity to object and review procedures  

Where CSPs have specific objections to complying with a cross-border order, they may raise such objections with the issuing country’s designated authority. If the objections are not resolved, the CSP may raise the same objections with its own country’s designated authority and the two governments are then required to reach an agreement. Importantly, ultimate veto power is vested in the CSP’s designated authority.

Use restrictions  

The Agreement authorises the United Kingdom to veto the use of evidence that US authorities have obtained from UK-based CSPs in any case in which the death penalty is sought. Similarly, the United States is authorised to veto the use of evidence that US authorities have obtained from US-based CSPs in any case that raises free speech concerns.

Consistent with the requirements of the CLOUD Act, the Agreement requires the United Kingdom to follow certain targeting and minimisation procedures (ie, protocols that address the acquisition, dissemination and retention of data) in order to protect the data of US persons, wherever located, and persons in the United States. Notably, any changes to such procedures must be approved by the other party before implementation.


The Agreement establishes similar, but not identical, minimisation provisions with respect to US targeting of the data of UK persons. Although the United States may not target the data of persons within the United Kingdom, UK citizens and permanent residents are not subject to this protection outside the UK.

The Agreement took effect in July 2020. Although commentators have described the Agreement as ‘a significant shift away from existing cross border data access mechanisms’,  time will tell what impact the Agreement will have on cross-border investigations in practice and whether other such agreements will follow.

The use of MLATs to suspend the statute of limitations

A recent, notable development on the defence side is that defendants in a handful of cases have argued that prosecutors purposefully misused the MLAT request process to suspend statutes of limitation that would otherwise have expired. In January 2020, these allegations gained some unexpected support in a letter filed by a former DOJ attorney with the DOJ’s internal watchdog that alleges that prosecutors in certain cases used the MLAT request process not to obtain evidence to further an investigation but rather as a pretext to suspend the statute of limitations. 

Although there is no evidence to suggest that there is any kind of systematic misuse of the MLAT process at the DOJ, these cases – even if isolated – are nonetheless noteworthy as they are alerting courts and practitioners to a potential issue and drawing greater scrutiny to a practice that was previously little understood.

The most well-known of these cases is United States v Bogucki, a case currently pending in federal court in San Francisco. In Bogucki, the DOJ charged the former head of fixed-income trading at Barclays PLC in January 2018 with wire fraud, which carries a five-year statute of limitations. In August 2016, while the investigation was ongoing and approximately two months before the statute of limitations was set to run, prosecutors made an MLAT request to the United Kingdom for the defendant’s travel records and, at the same time, made a sealed application to the district court to toll the statute of limitations pursuant to 18 USC Section 3292 while the MLAT request was processed and executed. 

After Bogucki was ultimately indicted in 2018, he quickly moved to dismiss on the grounds that the indictment was time barred. He argued that the DOJ’s MLAT request was ‘frivolous’ and an attempt ‘to obtain additional time [to investigate] rather than [to obtain] evidence of criminal activity’.  The defendant argued that the DOJ already had access to the information it claimed was located in the United Kingdom because Barclays had already cooperated extensively with the investigation, provided a large number of documents relevant to the MLAT request and was required to continue cooperating with the DOJ based on the terms of a prior settlement. 

During oral argument on the motion to dismiss, the DOJ did not respond to the proposition that the MLAT request was pretextual, but instead argued that the court had ‘no basis going beyond the four corners’ of the request and the government’s motivations or strategy behind an MLAT request should not be scrutinised.  The court rejected the DOJ’s argument and ordered an evidentiary hearing into the timing of and motivation for the MLAT request.  Four days after the entry of that order, the DOJ dropped the wire fraud charges and obtained a superseding indictment on different charges that carried a 10-year statute of limitations, thereby mooting the necessity of the evidentiary hearing. 

The author of the letter filed earlier this year with DOJ’s internal watchdog claims to have reviewed the MLAT request at issue in Bogucki and determined that it was pretextual.  The author further claims that the MLAT request upon which prosecutors relied to extend the statute of limitations in another case – United States v Bases – was also pretextual. 

In Bases, the government submitted the MLAT request in December 2016 to the United Kingdom requesting information from several banks, including Bank of America Merrill Lynch and Deutsche Bank AG.  Based on the MLAT request, the government applied for, and the court approved, an order tolling the statute of limitations into investigations of trading activity at those banks pursuant to 18 USC Section 3292.

In January 2018, the government charged the defendants in Bases in a criminal complaint alleging various conspiracies, wire fraud, commodities fraud and spoofing, a prohibited form of trading. The former DOJ attorney’s letter stated that the five-year statute of limitations applicable to the spoofing charges had been tolled as of December 2016, based on the court’s tolling order. In July 2018 (and just a few months after the DOJ in Bogucki had dropped the wire fraud charges), the government dropped these charges and instead obtained an indictment charging the defendants with wire fraud affecting a financial institution and conspiracy to commit wire fraud affecting a financial institution, which carry a 10-year statute of limitations. 

In February 2020, the defendants in Bases – as well as the defendants in a companion case, United States v Vorley – moved to compel the government to produce the evidence underlying its application for the tolling order. The government replied that, because of the indictment, which superseded the original complaint that relied on the five-year statute of limitations, it did not rely on the tolling order at issue and that any alleged misconduct is irrelevant given the new charges. The motion in Vorleywas denied in August 2020 after a telephonic hearing.  At the time of writing, the Bases motion remained pending.

While it is too early to draw any definitive conclusions from these cases, the growing awareness regarding this issue is itself noteworthy. We anticipate that going forward there will be more requests to the DOJ for discovery and for courts to conduct evidentiary hearings to determine whether the government had a non-pretextual basis to request a tolling order.


As cross-border investigations have become an increasingly routine part of US law enforcement, the tools US authorities rely on to obtain evidence and information located in foreign countries have been used with greater frequency and, accordingly, are receiving added scrutiny. Although many of the tools described in this chapter have been around in some form for years, in practice their use is dynamic and they will continue to evolve as cross-border investigations continue to grow in number and significance. This will remain an important area to watch in the years ahead.

Subscribe here for related content, breaking news and market analysis from Global Investigations Review. Global Investigations Review provides exclusive news and analysis and other thought-provoking content for those who specialise in investigating and resolving suspected corporate wrongdoing.